New Ransomware Uses GnuPG to Encrypt Files

Security companies have come across a new piece of ransomware that's designed to encrypt files on infected computers. What's interesting about this threat is that it's easy to update and it uses open source software to encrypt files.

Both Symantec and Trend Micro have analyzed the malware, which they've dubbed Trojan.Ransomcrypt.L and BAT_CRYPTOR.A, respectively. Once it infects a computer, the crypto ransomware uses GNU Privacy Guard (GnuPG), an open source implementation of the OpenPGP standard, to encrypt files and hold them for ransom.

The main component of Ransomcrypt is a batch file that enables the attackers to easily update the malware and control its behavior, Symantec said.

"The threat downloads the 1024-bit RSA public key and imports this key through an option in GnuPG. The malware then encrypts the victims’ files by using GnuPG’s Encrypt Files option with the public key. If the user wants to decrypt the affected files, they need the private key, which the malware author owns. It’s difficult for victims to decrypt the encrypted files without this private key," Symantec's Kazumasa Itabashi wrote in a blog post.

Trend Micro has pointed out that GnuPG doesn't need to be installed on infected systems for the ransomware to perform its encryption routines. The malware is designed to download a copy of the application if necessary.

Once the files are encrypted, they're renamed to "[file name].[email protected]_com." Then, a text document written in Russian informs victims that they have to pay €150 ($200) to recover their files. Users are instructed to contact a specified email address for information on how to decrypt the compromised files.

In addition to BAT_CRYPTOR.A, Trend Micro has spotted another new crypto ransomware which it has dubbed Cryptoblocker (TROJ_CRYPTFILE.SM). Unlike BAT_CRYPTOR.A, this threat doesn't target only Russian speakers. Infections have been spotted in several countries, but the most affected are the United States (28% of infections), France(17%), Japan (10%), Spain (8%) and Italy (7%).

"This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found thatthe advanced encryption standard (AES) is found in the malware code," Trend Micro Research Engineer Eduardo Altares II explained in a blog post.

Trend Micro believes Cryptoblocker might be the creation of inexperienced malware writers because compiler notes have not been removed from the code, allowing security researchers to detect the files they create.

Another interesting piece of ransomware uncovered recently is CTB-Locker (Critroni), which is the first threat of this kind to use Tor for communications with command and control (C&C) servers.